October 09, 2013 Articles

Glitches Within the CFAA's "Exceeds Authorized Access" Language

Defendants facing charges under the Computer Fraud and Abuse Act are affected by differing interpretations of a specific provision.

By Aaron M. Danzig and Matthew A. S. Esworthy

In 1986, Congress passed the Computer Fraud and Abuse Act (CFAA) as a means to address the growing problem of computer crime and, specifically, individuals engaged in computer intrusion and hacking. 18 U.S.C. § 1030. Among other things, the CFAA criminalizes accessing protected computers without authorization and also prohibits individuals who have authorized access to protected computers from exceeding the scope of their authorization. 18 U.S.C. § 1030(a). A protected computer includes those exclusively used by financial institutions and the government and those used in interstate commerce or communication. 18 U.S.C. § 1030(e)(2). Criminal penalties can reach up to 10 years’ imprisonment for a first offense. 18 U.S.C. § 1030(c). Additionally, after an amendment created a civil cause of action under the CFAA, 18 U.S.C. § 1030(g), employers have increasingly utilized the statute in civil suits against former employees accused of a range of improprieties committed on computers during employment, including former employees who accessed company computers to gain information for use in competing with their former employers.

The meaning of “exceeds authorized access” has come under increased scrutiny in the courts recently, with differing outcomes. Some courts have held that the violation of an employer’s computer-use policy could lead to a criminal violation under the CFAA, while other courts have rejected that view as too expansive.

Broad and Narrow Views of “Exceeds Authorized Access”
There has been a divergence among circuits regarding the meaning and scope of “exceeds authorized access,” making the issue ripe for Supreme Court review. On one side, the First, Fifth, Seventh, and Eleventh Circuits have taken what is considered the broad view, which holds that an individual who uses access to which he or she is allowed for a prohibited purpose, such as the misappropriation of the obtained information, is liable under the CFAA. See EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001); United States v. John, 597 F.3d 263 (5th Cir. 2010); Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006); United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010); see also United States v. Cave, 2013 U.S. Dist. LEXIS 99149 (D. Neb. July 16, 2013).

The reasoning employed by these circuits is exemplified in United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010), in which a former Social Security Administration employee accessed sensitive personal information for nonbusiness purposes, in violation of the administration’s computer-use policy prohibiting an employee from obtaining information from the administration’s database without a business purpose. The defendant accessed records of 17 people, including his ex-wife, ex-girlfriend, and several other women, for his personal use. The court held that while the employee was allowed to access the database, he exceeded authorized access within the meaning of the CFAA, because of his nonbusiness use of the information. Thus, according to the broad view of the CFAA, an employee’s legitimate computer access can “exceed authorized access” when the employee contravenes his or her employer’s policies, irrespective of whether he or she used the information for a criminal purpose.

Conversely, the Fourth and Ninth Circuits have taken a more limited view of the CFAA. WEC Carolina Energy Solutions, LLC v. Miller, 687 F.3d 199 (4th Cir. 2012); LRVC Holdings LLC v. Brekka, 58 1 F.3d 1127 (9th Cir. 2009); United States v. Nosal, 676 F.3d 854 (9th Cir. 2011). In the civil context, some district courts have also followed this narrow view in recent cases. See, e.g., Power Equip. Maint., Inc. v. Airco Power Servs., 2013 U.S. Dist. LEXIS 91484 (S.D.Ga. June 28, 2013). In United States v. Nosal, 676 F.3d 854 (9th Cir. 2011), an individual who sought to start a competing business obtained proprietary information from his former employer’s database with help from former colleagues. Although the employees’ access to the information was authorized, the company had a policy that forbade dissemination of the information. The court held that “the phrase ‘exceeds authorized access’ in the CFAA does not extend to violations of use restrictions,” and affirmed the dismissal of those counts of the indictment. The court reasoned that the CFAA is not an expansive misappropriation statute prohibiting unauthorized use of information to which an individual had authorized access, but instead is designed to prohibit unauthorized access to computers (i.e., hacking). Thus, according to the narrow view, employees who have authority to access information, but then later misappropriate it, are not within the scope of the CFAA.

Defending Criminal Charges under the “Exceeds Authorized Access” Prong
The broad view of the “exceeds authorized access” prong of the CFAA gives the statute much broader applicability than possibly intended by Congress and could lead to discriminatory or arbitrary application. The Ninth Circuit’s opinion in Nosal sets forth a strong argument that should be invoked by those defending clients from CFAA charges, in arguing that the CFAA does not apply to instances where an individual had authorization to access information via computer but then used the information for a personal or inappropriate use.

The broad interpretation of the CFAA could criminalize all sorts of minute, insignificant behavior that takes place in workplaces daily. Any violation of private computer-use policies, such as checking personal emails or Twitter, could constitute behavior that “exceeds authorized access” and could, when applying the broad view of “exceeds authorized access,” subject employees to criminal liability. As cited by the court in Nosal: "When choice has to be made between two readings of what conduct Congress has made a crime, it is appropriate, before we choose the harsher alternative, to require that Congress should have spoken in language that is clear and definite." 676 F.3d at 863 (internal quotation marks and citation omitted). The rule of lenity “not only ensures that citizens will have fair notice of the criminal laws, but also that Congress will have fair notice of what conduct its laws criminalize.” Thus, in instances where a defendant is charged with violating the CFAA by virtue of exceeding his or her “authorized access,” counsel should move to dismiss those charges, citing Nosal and the rule of lenity.

Similar Statutes Addressing Computer Crimes to Be Aware Of
Removing the CFAA from the prosecutor’s arsenal would not impair the government’s ability to prosecute crimes involving computers. Other criminal statutes would still likely apply to the same conduct. For example, the federal trade-secrets statute, 18 U.S.C. § 1832, specifically targets those who knowingly and without authorization obtain, transmit, or buy information used in interstate commerce for the economic benefit of anyone besides the owner. In situations where an employee accessed his or her employer’s computers and obtained confidential information for potentially competitive use, the trade-secrets statute is a more appropriate method in which to charge defendants than the CFAA. See WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199, 202 (4th Cir. 2012). Indeed, the defendant in Nosal was also charged with theft of trade secrets and mail fraud. Also, in United States v. Zhang, 2012 U.S. Dist. LEXIS 74254 (N.D. Cal. May 29, 2012), the defendant was charged with violating the CFAA and multiple trade-secret-theft counts. There, the defendant downloaded company information to which he had access just before he left that company to start a new job. After a bench trial, the court, citing Nosal, ruled that the defendant was not guilty of violating the CFAA. However, he was found guilty of a number of the trade-secret charges and ultimately received a sentence of imprisonment for three months followed by three years of supervised release.

In addition, there are also a number of civil actions that aggrieved employers can take advantage of, rather than seeking remedies under the CFAA. Breach of contract, breach of fiduciary duty, conversion, tortious interference with an economic advantage, unfair competition, or misappropriation of trade secrets are all theories that are a better fit to remedy protected computer misuse than the CFAA.

Conclusion
The CFAA is a wieldy tool for employers unhappy with their former employees’ conduct and, thus, has become increasingly used in the civil context. Because of the CFAA’s criminal implications, its applications in instances where an individual “exceeds authorized access” should be viewed and considered carefully so as not to criminalize all or nearly all computer activity by an employee that contravenes the employer’s computer-use policy. The current circuit split makes this issue ripe for review by the Supreme Court. Until that time, however, when defending charges under the CFAA’s “exceeding authorized access” prong, counsel should mirror the Nosal court’s narrow view and reasoning, contest the CFAA’s applicability, and look to apply the rule of lenity.

Keywords: criminal litigation, Computer Fraud and Abuse Act, 18 U.S.C. § 1030, CFAA, computer crime, exceeds authorized access

Aaron M. Danzig is a partner at Arnall Golden Gregory LLP in Atlanta, Georgia. Matthew A. S. Esworthy is a partner at Shapiro, Sher, Guinot & Sandler in Baltimore, Maryland.


Copyright © 2013, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).